You can also read my blurb below - ie how I came to the fact that the
fact that upstream started to ship vsftpd section (versions 0.6.2 and
0.7.1) which were different from my previously Debian shipped,
and it slipped through my hands.

ok - fix is needed.

Could you please verify that next version works ok for you:

http://itanix.rutgers.edu/rumba/dists/sid/perspect/binary-all/net/fail2ban_0.7.5-3~pre1_all.deb


> 2006-12-18 10:19:20,153 fail2ban.filter : INFO   Added logfile = 
> /var/log/auth.log
> 2006-12-18 10:19:20,154 fail2ban.filter : INFO   Set maxRetry = 3
> 2006-12-18 10:19:20,156 fail2ban.filter : INFO   Set findtime = 600
> 2006-12-18 10:19:20,157 fail2ban.actions: INFO   Set banTime = 24600
> 2006-12-18 10:19:20,159 fail2ban.filter : INFO   Set failregex = vsftpd: 
> \(pam_unix\) authentication failure; .* rhost=(?P<host>\S*)
> 2006-12-18 10:19:20,161 fail2ban.filter : INFO   Set ignoreregex =

> > 3. log lines which signaled failed attempt to login in vsftp

> Thu Dec 21 07:10:59 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client 
> "60.18.168.138"
> Thu Dec 21 07:11:00 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client 
> "60.18.168.138"
> Thu Dec 21 07:11:01 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client 
> "60.18.168.138" (x 100)

> Thu Dec 21 06:02:02 2006 [pid 22054] [Administrator] FAIL LOGIN: Client 
> "60.18.168.138"
> Thu Dec 21 06:02:04 2006 [pid 22054] [Administrator] FAIL LOGIN: Client 
> "60.18.168.138"
> Thu Dec 21 06:02:05 2006 [pid 22054] [Administrator] FAIL LOGIN: Client 
> "60.18.168.138" (x 100)

As you can see vsftpd filter looks for lines of format
 vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S*)
whenever yours (which came from auth.log ie syslog or from some other
custom file?) are quite different and don't bear any vsftp sign (besides
pid # which probably belongs to vsftpd)

Surprisingly enough none of filters shipped with fail2ban was crufted
for such log line.

The question now is how far you diverged from stock configuration in
your vsftpd setup. I've installed vsftpd on my own box (running
unstble with vsftp 2.0.5-2).

> > I assume that you use stock config files (besides that custom jail.local
> > with enabled vsftpd section)
> Yes, that's right


-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]


Attachment: pgppXAJNvEfhS.pgp
Description: PGP signature

Reply via email to